I was speaking from a business use perspective, where there's enough IT support to whitelist as necessary. In that scenario, I think that the application whitelisting is very feasible, but needs to be coupled with users only having non-admin access, and only a defined set of apps in play.
>From a personal-use perspective, application whitelisting is a much longer and harder row to hoe. Kurt On Fri, May 7, 2010 at 16:00, Alex Eckelberry <[email protected]> wrote: > Not sure about that. What happens when the whitelisting vendor screws up a > dat file, and you can't run any of your programs at all because they are not > "allowed"? The problem is compounded by the fact that there are far more > legitimate files released daily than there are malicious files, so > whitelisting applications need to update even more than blacklisting apps. > > Alex > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Friday, May 07, 2010 6:26 PM > To: NT System Admin Issues > Subject: Re: Sunbelt, McAfee, Symantec - now Clam > > It's called "Appliation Whitelisting", methinks. > > On Fri, May 7, 2010 at 11:59, Andrew S. Baker <[email protected]> wrote: >> First off, the ClamAV issue was somewhat mitigated by them telling everyone >> to be off of v96 for a few weeks. :) >> But, the reality of this situation is that signature-based host-level >> protection is getting to the point where the human error factor is too high. >> (I feel a blog entry coming up soon) >> In order to attack the threats that are out there, signatures need to be >> updated frequently, and increasing the frequency places greater burden on >> the QA process, and increases the risk of a self-inflicted DoS. >> What this signifies is that we need to start demanding a different approach >> to host-based protection *as the norm*, because there is now as great a >> chance that your system can be made ineffective from an AV update as from an >> actual piece of malware. >> AV in its current form really has to die, as there is no way for the good >> guys to keep up with the bad guys, leaving us vulnerable to even more >> foolishness from creative bad guys. >> -ASB: http://XeeSM.com/AndrewBaker >> >> >> On Fri, May 7, 2010 at 1:27 PM, Kurt Buff <[email protected]> wrote: >>> >>> - -------- Original Message -------- >>> Subject: [Clamav-announce] problem with daily.cvd 10938 >>> Date: Fri, 7 May 2010 13:06:56 +0200 >>> From: Luca Gibelli <[email protected]> >>> Reply-To: [email protected] >>> To: ClamAV Announce <[email protected]> >>> >>> Dear ClamAV users, >>> >>> about 15 mins ago we released daily.cvd 10938. This update apparently >>> caused a segmentation fault in all ClamAV versions older than 0.96 >>> on 32 bit systems. >>> >>> We just released daily.cvd 10939 which removes the faulty signature and >>> we have taken measures to ensure that this problem won't happen again. >>> >>> We recommend using a monitor tool like clamdwatch or clamdmon to >>> automatically restart clamd whenever it dies. >>> >>> If you are already using a similar solution, your clamd will be >>> restarted automatically as soon as freshclam downloads the daily.cvd >>> 10939 update. >>> >>> We apologise for the inconvenience. >>> >>> Regards, >>> >>> - -- >>> Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit >>> [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it >>> PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg >>> _______________________________________________ >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >> >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
